We covered an introduction to Malware analysis by covering various asepcts such as the definition of a malware, malware campaigns, types of malware analysis methods including dynamic and static analysis, and lastly covered a practical example by solving TryHackMe MAL: Malware Introductory room.

Please watch the video at the bottom for full detailed explanation of the walkthrough.

Blue Team Study Notes

Malware Analysis Study Notes

Overview

This video is an introductory session on malware analysis as part of a TryHackMe room. It emphasizes:

  1. Static Analysis: Analyzing files without executing them.
  2. Initial Steps: Hashing, checking for obfuscation or packers, and inspecting file strings.
  3. Hands-On Tools: Demonstrations of tools used in malware analysis.

Intro to Malware Analysis

Malware is such a prevalent topic within Cybersecurity, and often an unfortunately recurring theme among global news today.

Not only is malware analysis a form of incidence response, but it is also useful in understanding how the behaviours of variants of malware result in their respective categorisation.

When analysing malware, it is important to consider the following:

  • Point of Entry (PoE) I.e. Was it through spam that our e-mail filtering missed and the user opened the attachment? Let’s review our spam filters and train our users better for future prevention!
  • What are the indicators that malware has even been executed on a machine? Are there any files, processes, or perhaps any attempt of “un-ordinary” communication?
  • How does the malware perform? Does it attempt to infect other devices? Does it encrypt files or install anything like a backdoor / Remote Access Tool (RAT)?
  • Most importantly – can we ultimately prevent and/or detect further infection?!

1. Objectives of Malware Analysis

  • Determine whether files are malicious or benign.
  • Identify suspicious characteristics such as packers, obfuscated code, or embedded data.
  • Utilize initial checks to filter potentially dangerous files before deeper analysis.

Malware Attack Steps

  1. Delivery
  2. Execution
  3. Maintaining persistence (not always the case!)
  4. Propagation

These steps will generate lots of data. Namely: network traffic such as communicating with hosts, file system interaction like read/writes and modification.

2. Tools and Techniques

A. Hashing Files

  1. Purpose:
    • Generate hashes (e.g., MD5, SHA-256) to verify file integrity.
    • Check against malware databases like VirusTotal.
  2. Process:
    • Generate hashes using tools like FileHash or system utilities.
    • Compare hashes with known malware hashes on VirusTotal.
  3. Findings:
    • Files marked as “not malicious” in VirusTotal aren’t necessarily safe; they may evade detection due to obfuscation.

B. Checking for Packers

  1. Purpose:
    • Packers or compression techniques are used to obfuscate the actual code of an executable.
    • Malicious actors use packers to bypass antivirus detection.
  2. Tools:
    • PEiD: Identifies packers used in executables.
    • IDA Freeware: Examines packed vs. unpacked imports and code structures.
  3. Findings:
    • Files with minimal imports are likely packed.
    • Packed files can indicate malicious intent or legitimate software protection.

C. Viewing Strings in Files

  1. Purpose:
    • Extract readable ASCII or Unicode text from binary files to uncover:
      • URLs.
      • IP addresses.
      • Hardcoded credentials or Bitcoin addresses.
  2. Tools:
    • Strings: Command-line tool for extracting text.
    • PE Explorer: GUI tool for inspecting strings and file metadata.
  3. Process:
    • Run the strings command on the file to extract human-readable content.
    • Review the output for suspicious URLs or commands.
GPT

Talked to vcaption.maila.ai

The video provides a beginner-friendly tutorial on Malware Analysis, covering the foundational steps for static and dynamic analysis. It focuses on tools and techniques to analyze malware samples, specifically executable files. Below is a detailed summary:

Overview

This video is an introductory session on malware analysis as part of a TryHackMe room. It emphasizes:

  1. Static Analysis: Analyzing files without executing them.
  2. Initial Steps: Hashing, checking for obfuscation or packers, and inspecting file strings.
  3. Hands-On Tools: Demonstrations of tools used in malware analysis.

1. Objectives of Malware Analysis

  • Determine whether files are malicious or benign.
  • Identify suspicious characteristics such as packers, obfuscated code, or embedded data.
  • Utilize initial checks to filter potentially dangerous files before deeper analysis.

2. Tools and Techniques

A. Hashing Files

  1. Purpose:
    • Generate hashes (e.g., MD5, SHA-256) to verify file integrity.
    • Check against malware databases like VirusTotal.
  2. Process:
    • Generate hashes using tools like FileHash or system utilities.
    • Compare hashes with known malware hashes on VirusTotal.
  3. Findings:
    • Files marked as “not malicious” in VirusTotal aren’t necessarily safe; they may evade detection due to obfuscation.

B. Checking for Packers

  1. Purpose:
    • Packers or compression techniques are used to obfuscate the actual code of an executable.
    • Malicious actors use packers to bypass antivirus detection.
  2. Tools:
    • PEiD: Identifies packers used in executables.
    • IDA Freeware: Examines packed vs. unpacked imports and code structures.
  3. Findings:
    • Files with minimal imports are likely packed.
    • Packed files can indicate malicious intent or legitimate software protection.

C. Viewing Strings in Files

  1. Purpose:
    • Extract readable ASCII or Unicode text from binary files to uncover:
      • URLs.
      • IP addresses.
      • Hardcoded credentials or Bitcoin addresses.
  2. Tools:
    • Strings: Command-line tool for extracting text.
    • PE Explorer: GUI tool for inspecting strings and file metadata.
  3. Process:
    • Run the strings command on the file to extract human-readable content.
    • Review the output for suspicious URLs or commands.

3. Hands-On Steps

Task 1: Generating File Hashes

  • Identify the MD5 or SHA-256 hashes of malware samples.
  • Use VirusTotal to cross-check hashes against its database.
  • Examples:
    • Legitimate files may pass VirusTotal scans but still require further inspection.

Task 2: Detecting Packers

  • Open files in PEiD to detect packers.
  • Analyze imports using IDA Freeware:
    • Packed files typically have fewer imports.
    • Non-packed files show more detailed imports.

Task 3: String Extraction

  • Use the strings command to extract readable text from the files.
  • Look for indicators like:
    • URLs: HTTP/HTTPS links.
    • Hardcoded credentials or IP addresses.

Static vs Dynamic Malware Analysis

Static Analysis.

At its brief, “Static Analysis” is used to gain a high-level abstraction of the sample – it can be fairly simple to decide if a piece of code is “malicious” or not with this method alone (but not always, this will be discussed later…). At its core, this method is of the analysis of the sample at the state it presents itself as, without executing the code.

Employing the use of techniques such as signature analysis via checksums means quick, efficient (albeit extremely brief) and safe analysis of malware.

Dynamic Analysis

This step is a lot more involved, and is where the abstraction of the sample is largely built upon. “Dynamic Analysis” essentially involves executing the sample and observing what happens. This of course is not safe. If the sample turns out to be “Ransomware” – you’ve now lost your files. If it is capable of propagating via traversing a network, nice…You’ve now just infected your Local Area Network (LAN).

Malware Packing

Packing is one form of obfuscation that malware Authors employ to prevent the analysis of programmes. There are both legitimate and malicious reasons as to why the Author of a program will want to prevent the decompiling of their program. 

For example, a legitimate reason is the protection of intellectual property! Whilst I’m one for open-source as much as the next person here – alas not every organisation has the same mindset…but let’s leave that aside.

In the same token, just because you write a program…Why should everyone have the right to “copy” your project? This is one of the justifiable reasons for obfuscation – it is yours at the end of the day! 

However, malware Authors employ obfuscation techniques such as packing – whilst for the same reasons, they do so with the intent to prevent people like us reversing it to understand its behaviours and ultimately with the aims of achieving infection.

How packing works is out of scope for this room, but I hope to be able to delve into topics like these later on within THM, so that you can understand the theory behind the practical skills you’ll be using. 

4. Key Findings

  • Malware analysis requires multiple steps:
    • Hashing for initial database comparisons.
    • Static analysis to uncover packers or suspicious strings.
  • Legitimate software can sometimes mimic malware due to protection techniques like packing.
  • Dynamic analysis may follow static analysis for a comprehensive understanding.

Room Answers | TryHackMe MAL: Malware Introductory

What is the famous example of a targeted attack-esque Malware that targeted Iran?
Stuxnet

What is the name of the Ransomware that used the Eternalblue exploit in a “Mass Campaign” attack?
Wannacry

Name the first essential step of a Malware Attack?

Delivery

Now name the second essential step of a Malware Attack?

Execution

What type of signature is used to classify remnants of infection on a host?

Host-Based Signatures

What is the name of the other classification of signature used after a Malware attack?

Network-Based Signatures


The MD5 Checksum of aws.exe 

D2778164EF643BA8F44CC202EC7EF157

The MD5 Checksum of Netlogo.exe

59CB421172A89E1E16C11A428326952C

The MD5 Checksum of vlc.exe

5416BE1B8B04B1681CB39CF0E2CAAD9F

Does Virustotal report this MD5 Checksum / file aws.exe as malicious? (Yay/Nay)

Nay

Does Virustotal report this MD5 Checksum / file Netlogo.exe as malicious? (Yay/Nay)

Nay

Does Virustotal report this MD5 Checksum / file vlc.exe as malicious? (Yay/Nay)

Nay

What does PeID propose 1DE9176AD682FF.dll being packed with?

Microsoft Visual C++ 6.0 DLL

What does PeID propose AD29AA1B.bin being packed with?

Microsoft Visual C++ 6.0

What packer does PeID report file “6F431F46547DB2628” to be packed with?

FSG 1.0 -> dulek/xt

What is the URL that is outputted after using “strings”

practicalmalwareanalysis.com

How many unique “Imports” are there?

5

WhatHow many references are there to the library “msi” in the “Imports” tab of IDA Freeware for “install.exe

9

What is the MD5 Checksum of the file?

f5bd8e6dc6782ed4dfa62b8215bdc429

Does Virustotal report this file as malicious? (Yay/Nay)

Yay

Output the strings using Sysinternals “strings” tool.

What is the last string outputted?

d:h:

What is the output of PeID when trying to detect what packer is used by the file?

Nothing Found

Video Walkthrough | TryHackMe MAL: Malware Introductory

,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles